CVE-2023-4863 — libwebp Heap Buffer Overflow CRITICAL
🔴 CISA KEV
npm
CVSS 10.0 · sharp < 0.32.6 → 0.33.2
A heap buffer overflow in Google's libwebp library allows remote code execution via a crafted WebP image. The sharp npm package bundles libwebp. Any application that processes WebP images from untrusted sources using sharp is vulnerable. Also affects Chrome, Firefox, and Electron apps.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| sharp | npm | < 0.32.6 | 0.33.2 | Full fix guide → |
How to fix CVE-2023-4863
- Update sharp to 0.32.6 or later (0.33.2 recommended)
- Run npm install
- If you process user-uploaded images, validate image format before processing
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-4863 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
Is this the same vulnerability as the Chrome zero-day?
Yes — CVE-2023-4863 affects both browsers and any software bundling libwebp, including sharp. Google, Mozilla, and Apple all released emergency patches for this.
Does this affect all WebP image processing?
Any application using a vulnerable version of libwebp to process WebP images is affected. This includes sharp, Electron apps, and browser-based image processing.
Why is sharp CVSS 10.0?
The heap buffer overflow in libwebp allows arbitrary code execution with no authentication. Processing a single malicious WebP image is enough to trigger it.